@portaidentity/cli 0.1.0

package/dist/commands/doctor.js

@@ -0,0 +1,198 @@
+/**
+ * CLI doctor command — diagnostic checks for the CLI environment.
+ *
+ * Runs a series of checks to verify the CLI setup is correct:
+ *   1. Node.js version (>= 22.0.0 required)
+ *   2. Credentials file exists and is readable
+ *   3. Token validity (not expired)
+ *   4. Server reachability (health endpoint)
+ *   5. Admin metadata endpoint accessible
+ *
+ * Useful for troubleshooting authentication or connectivity issues.
+ *
+ * Usage:
+ *   porta doctor          # Run all diagnostic checks
+ *   porta doctor --json   # JSON output (machine-readable)
+ *
+ * @module commands/doctor
+ */
+import { loadCredentials, isTokenExpired, getCredentialsPath, hasCredentials, } from '../credential-store.js';
+import { fetchHealthStatus, fetchAdminMetadata } from '../auth/metadata.js';
+import { printJson, success, warn, error as printError } from '../output.js';
+// ---------------------------------------------------------------------------
+// Diagnostic Checks
+// ---------------------------------------------------------------------------
+/**
+ * Check Node.js version meets the minimum requirement.
+ */
+function checkNodeVersion() {
+    const version = process.version;
+    const major = parseInt(version.slice(1).split('.')[0], 10);
+    if (major >= 22) {
+        return { name: 'Node.js version', status: 'pass', message: `${version} (>= 22 required)` };
+    }
+    return { name: 'Node.js version', status: 'fail', message: `${version} — Node.js >= 22.0.0 is required` };
+}
+/**
+ * Check credential file existence and validity.
+ */
+function checkCredentials() {
+    const path = getCredentialsPath();
+    if (!hasCredentials()) {
+        return {
+            name: 'Credentials',
+            status: 'warn',
+            message: `Not found at ${path}. Run "porta login" to authenticate.`,
+        };
+    }
+    const creds = loadCredentials();
+    if (!creds) {
+        return {
+            name: 'Credentials',
+            status: 'fail',
+            message: `File exists at ${path} but cannot be parsed. Try "porta logout" then "porta login".`,
+        };
+    }
+    return {
+        name: 'Credentials',
+        status: 'pass',
+        message: `Found at ${path} (user: ${creds.userInfo.email || creds.userInfo.sub})`,
+    };
+}
+/**
+ * Check token expiry status.
+ */
+function checkTokenExpiry() {
+    const creds = loadCredentials();
+    if (!creds) {
+        return { name: 'Token validity', status: 'warn', message: 'No credentials — skipped' };
+    }
+    if (isTokenExpired(creds)) {
+        return {
+            name: 'Token validity',
+            status: 'warn',
+            message: `Expired at ${creds.expiresAt}. Run "porta login" to re-authenticate.`,
+        };
+    }
+    return {
+        name: 'Token validity',
+        status: 'pass',
+        message: `Valid until ${creds.expiresAt}`,
+    };
+}
+/**
+ * Check server reachability via health endpoint.
+ */
+async function checkServerHealth(serverUrl) {
+    if (!serverUrl) {
+        return {
+            name: 'Server health',
+            status: 'warn',
+            message: 'No server configured — skipped',
+        };
+    }
+    const health = await fetchHealthStatus(serverUrl);
+    if (!health) {
+        return {
+            name: 'Server health',
+            status: 'fail',
+            message: `Cannot reach ${serverUrl}/health`,
+        };
+    }
+    if (health.status === 'ok') {
+        const services = health.services
+            ? Object.entries(health.services).map(([k, v]) => `${k}=${v}`).join(', ')
+            : '';
+        return {
+            name: 'Server health',
+            status: 'pass',
+            message: `${serverUrl} — OK${services ? ` (${services})` : ''}`,
+        };
+    }
+    return {
+        name: 'Server health',
+        status: 'warn',
+        message: `${serverUrl} — status: ${health.status}`,
+    };
+}
+/**
+ * Check admin metadata endpoint accessibility.
+ */
+async function checkMetadata(serverUrl) {
+    if (!serverUrl) {
+        return {
+            name: 'Admin metadata',
+            status: 'warn',
+            message: 'No server configured — skipped',
+        };
+    }
+    try {
+        const metadata = await fetchAdminMetadata(serverUrl);
+        return {
+            name: 'Admin metadata',
+            status: 'pass',
+            message: `Org: ${metadata.orgSlug}, Client: ${metadata.clientId.slice(0, 8)}...`,
+        };
+    }
+    catch (err) {
+        return {
+            name: 'Admin metadata',
+            status: 'fail',
+            message: err instanceof Error ? err.message : 'Unknown error',
+        };
+    }
+}
+// ---------------------------------------------------------------------------
+// Command Definition
+// ---------------------------------------------------------------------------
+/**
+ * The doctor command module — runs diagnostic checks.
+ */
+export const doctorCommand = {
+    command: 'doctor',
+    describe: 'Run diagnostic checks on CLI configuration',
+    handler: async (argv) => {
+        // Handle --insecure flag before any HTTP calls
+        if (argv.insecure) {
+            process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+        }
+        // Resolve server URL for network checks
+        const creds = loadCredentials();
+        const serverUrl = argv.server || process.env.PORTA_SERVER || creds?.server;
+        // Run all checks
+        const results = [
+            checkNodeVersion(),
+            checkCredentials(),
+            checkTokenExpiry(),
+            await checkServerHealth(serverUrl),
+            await checkMetadata(serverUrl),
+        ];
+        // Output
+        if (argv.json) {
+            printJson(results);
+        }
+        else {
+            console.log('\nPorta CLI Diagnostics\n');
+            for (const check of results) {
+                const icon = check.status === 'pass' ? '✅' : check.status === 'warn' ? '⚠️' : '❌';
+                console.log(`  ${icon} ${check.name}: ${check.message}`);
+            }
+            console.log('');
+            const failures = results.filter((r) => r.status === 'fail');
+            const warnings = results.filter((r) => r.status === 'warn');
+            if (failures.length > 0) {
+                printError(`${failures.length} check(s) failed`);
+            }
+            else if (warnings.length > 0) {
+                warn(`All checks passed with ${warnings.length} warning(s)`);
+            }
+            else {
+                success('All checks passed');
+            }
+        }
+        // Exit with failure if any check failed
+        const hasFailure = results.some((r) => r.status === 'fail');
+        process.exit(hasFailure ? 1 : 0);
+    },
+};
+//# sourceMappingURL=doctor.js.map

package/dist/commands/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,OAAO,EACL,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,cAAc,CAAC;AAa7E,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAE3D,IAAI,KAAK,IAAI,EAAE,EAAE,CAAC;QAChB,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,mBAAmB,EAAE,CAAC;IAC7F,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,kCAAkC,EAAE,CAAC;AAC5G,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAElC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;QACtB,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gBAAgB,IAAI,sCAAsC;SACpE,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,kBAAkB,IAAI,+DAA+D;SAC/F,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY,IAAI,WAAW,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG;KAClF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACzF,CAAC;IAED,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,cAAc,KAAK,CAAC,SAAS,yCAAyC;SAChF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,eAAe,KAAK,CAAC,SAAS,EAAE;KAC1C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAAC,SAA6B;IAC5D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gCAAgC;SAC1C,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gBAAgB,SAAS,SAAS;SAC5C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ;YAC9B,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACzE,CAAC,CAAC,EAAE,CAAC;QACP,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,SAAS,QAAQ,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;SAChE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,GAAG,SAAS,cAAc,MAAM,CAAC,MAAM,EAAE;KACnD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,SAA6B;IACxD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gCAAgC;SAC1C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACrD,OAAO;YACL,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,QAAQ,QAAQ,CAAC,OAAO,aAAa,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK;SACjF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAgD;IACxE,OAAO,EAAE,QAAQ;IACjB,QAAQ,EAAE,4CAA4C;IAEtD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,+CAA+C;QAC/C,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,GAAG,CAAC;QACjD,CAAC;QAED,wCAAwC;QACxC,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,KAAK,EAAE,MAAM,CAAC;QAE3E,iBAAiB;QACjB,MAAM,OAAO,GAAkB;YAC7B,gBAAgB,EAAE;YAClB,gBAAgB,EAAE;YAClB,gBAAgB,EAAE;YAClB,MAAM,iBAAiB,CAAC,SAAS,CAAC;YAClC,MAAM,aAAa,CAAC,SAAS,CAAC;SAC/B,CAAC;QAEF,SAAS;QACT,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,SAAS,CAAC,OAAO,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YAEzC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;gBAClF,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEhB,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;YAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;YAE5D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,UAAU,CAAC,GAAG,QAAQ,CAAC,MAAM,kBAAkB,CAAC,CAAC;YACnD,CAAC;iBAAM,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,IAAI,CAAC,0BAA0B,QAAQ,CAAC,MAAM,aAAa,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,mBAAmB,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;CACF,CAAC"}

package/dist/commands/exports.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Exports command — export data as CSV or JSON.
+ *
+ * Subcommands:
+ *   download   Export entity data to a file or stdout
+ *
+ * @module commands/exports
+ */
+import type { CommandModule } from 'yargs';
+import type { GlobalOptions } from '../global-options.js';
+export declare const exportsCommand: CommandModule<GlobalOptions, GlobalOptions>;
+//# sourceMappingURL=exports.d.ts.map

package/dist/commands/exports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exports.d.ts","sourceRoot":"","sources":["../../src/commands/exports.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqB1D,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,aAAa,EAAE,aAAa,CAsEtE,CAAC"}

package/dist/commands/exports.js

@@ -0,0 +1,80 @@
+/**
+ * Exports command — export data as CSV or JSON.
+ *
+ * Subcommands:
+ *   download   Export entity data to a file or stdout
+ *
+ * @module commands/exports
+ */
+import fs from 'node:fs';
+import { createClient } from '../client-factory.js';
+import { handleError } from '../error-handler.js';
+import { success, info } from '../output.js';
+// ---------------------------------------------------------------------------
+// Command
+// ---------------------------------------------------------------------------
+export const exportsCommand = {
+    command: 'exports',
+    describe: 'Export data as CSV or JSON',
+    builder: (yargs) => yargs
+        .command('download', 'Export entity data', (y) => y
+        .option('entity-type', {
+        type: 'string',
+        describe: 'Entity type to export',
+        choices: ['organizations', 'applications', 'clients', 'users', 'roles', 'permissions', 'audit'],
+        demandOption: true,
+    })
+        .option('format', {
+        type: 'string',
+        describe: 'Export format',
+        choices: ['csv', 'json'],
+        default: 'csv',
+    })
+        .option('org-id', {
+        type: 'string',
+        describe: 'Filter by organization ID',
+    })
+        .option('app-id', {
+        type: 'string',
+        describe: 'Filter by application ID',
+    })
+        .option('output', {
+        alias: 'o',
+        type: 'string',
+        describe: 'Output file path (default: stdout)',
+    }), async (argv) => {
+        try {
+            const client = createClient(argv);
+            const response = await client.exports.download({
+                entityType: argv['entity-type'],
+                format: argv.format,
+                organizationId: argv['org-id'],
+                applicationId: argv['app-id'],
+            });
+            // The SDK returns a TransportResponse with raw body
+            const content = typeof response.body === 'string'
+                ? response.body
+                : JSON.stringify(response.body, null, 2);
+            if (argv.output) {
+                fs.writeFileSync(argv.output, content, 'utf-8');
+                success(`Exported ${argv['entity-type']} to ${argv.output}`);
+            }
+            else {
+                // Write to stdout
+                process.stdout.write(content);
+                if (!content.endsWith('\n')) {
+                    process.stdout.write('\n');
+                }
+                info(`Exported ${argv['entity-type']} (${argv.format})`);
+            }
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    })
+        .demandCommand(1, 'Please specify an exports subcommand: download'),
+    handler: () => {
+        // No-op — subcommands handle execution
+    },
+};
+//# sourceMappingURL=exports.js.map

package/dist/commands/exports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exports.js","sourceRoot":"","sources":["../../src/commands/exports.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AAGzB,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAc7C,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,CAAC,MAAM,cAAc,GAAgD;IACzE,OAAO,EAAE,SAAS;IAClB,QAAQ,EAAE,4BAA4B;IACtC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,KAAK;SACF,OAAO,CACN,UAAU,EACV,oBAAoB,EACpB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC;SACE,MAAM,CAAC,aAAa,EAAE;QACrB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,uBAAuB;QACjC,OAAO,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,CAAU;QACxG,YAAY,EAAE,IAAI;KACnB,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,CAAU;QACjC,OAAO,EAAE,KAAK;KACf,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,2BAA2B;KACtC,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,0BAA0B;KACrC,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,KAAK,EAAE,GAAG;QACV,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,oCAAoC;KAC/C,CAAC,EACN,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAC7C,UAAU,EAAE,IAAI,CAAC,aAAa,CAA+F;gBAC7H,MAAM,EAAE,IAAI,CAAC,MAAwB;gBACrC,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC;gBAC9B,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC;aAC9B,CAAC,CAAC;YAEH,oDAAoD;YACpD,MAAM,OAAO,GAAG,OAAO,QAAQ,CAAC,IAAI,KAAK,QAAQ;gBAC/C,CAAC,CAAC,QAAQ,CAAC,IAAI;gBACf,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE3C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;gBAChD,OAAO,CAAC,YAAY,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,kBAAkB;gBAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC9B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,CAAC;gBACD,IAAI,CAAC,YAAY,IAAI,CAAC,aAAa,CAAC,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CACF;SACA,aAAa,CAAC,CAAC,EAAE,gDAAgD,CAAC;IACvE,OAAO,EAAE,GAAG,EAAE;QACZ,uCAAuC;IACzC,CAAC;CACF,CAAC"}

package/dist/commands/health.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Health command — check server health.
+ *
+ * Makes a simple HTTP GET to /health on the Porta server.
+ * Does not require authentication.
+ *
+ * @module commands/health
+ */
+import type { CommandModule } from 'yargs';
+import type { GlobalOptions } from '../global-options.js';
+export declare const healthCommand: CommandModule<GlobalOptions, GlobalOptions>;
+//# sourceMappingURL=health.d.ts.map

package/dist/commands/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../src/commands/health.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqB1D,eAAO,MAAM,aAAa,EAAE,aAAa,CAAC,aAAa,EAAE,aAAa,CAuCrE,CAAC"}

package/dist/commands/health.js

@@ -0,0 +1,53 @@
+/**
+ * Health command — check server health.
+ *
+ * Makes a simple HTTP GET to /health on the Porta server.
+ * Does not require authentication.
+ *
+ * @module commands/health
+ */
+import { resolveServerUrl } from '../global-options.js';
+import { handleError } from '../error-handler.js';
+import { printJson, success, error as printError } from '../output.js';
+// ---------------------------------------------------------------------------
+// Command
+// ---------------------------------------------------------------------------
+export const healthCommand = {
+    command: 'health',
+    describe: 'Check Porta server health',
+    builder: (y) => y,
+    handler: async (argv) => {
+        try {
+            const serverUrl = resolveServerUrl(argv);
+            const url = new URL('/health', serverUrl);
+            // Use fetch (Node 22 built-in) for unauthenticated health check
+            const response = await fetch(url.toString(), {
+                method: 'GET',
+                headers: { Accept: 'application/json' },
+                // Respect --insecure flag for self-signed certs
+                ...(argv.insecure ? { dispatcher: undefined } : {}),
+            });
+            const body = (await response.json());
+            if (argv.json) {
+                printJson(body);
+                return;
+            }
+            if (response.ok && body.status === 'ok') {
+                success(`Server is healthy (${serverUrl})`);
+                console.log(`  Database: ${body.database}`);
+                console.log(`  Redis:    ${body.redis}`);
+            }
+            else {
+                printError(`Server is unhealthy (${serverUrl})`);
+                console.log(`  Status:   ${body.status}`);
+                console.log(`  Database: ${body.database}`);
+                console.log(`  Redis:    ${body.redis}`);
+                process.exitCode = 1;
+            }
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    },
+};
+//# sourceMappingURL=health.js.map

package/dist/commands/health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.js","sourceRoot":"","sources":["../../src/commands/health.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,cAAc,CAAC;AAcvE,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,CAAC,MAAM,aAAa,GAAgD;IACxE,OAAO,EAAE,QAAQ;IACjB,QAAQ,EAAE,2BAA2B;IACrC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAE1C,gEAAgE;YAChE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;gBAC3C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,gDAAgD;gBAChD,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmB,CAAC;YAEvD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,CAAC,IAAI,CAAC,CAAC;gBAChB,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,CAAC,EAAE,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;gBACxC,OAAO,CAAC,sBAAsB,SAAS,GAAG,CAAC,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,wBAAwB,SAAS,GAAG,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/commands/keys.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Keys command — manage signing keys.
+ *
+ * Subcommands:
+ *   list       List all signing keys
+ *   generate   Generate a new ES256 key pair
+ *   rotate     Rotate: generate new + retire current active
+ *
+ * @module commands/keys
+ */
+import type { CommandModule } from 'yargs';
+import type { GlobalOptions } from '../global-options.js';
+export declare const keysCommand: CommandModule<GlobalOptions, GlobalOptions>;
+//# sourceMappingURL=keys.d.ts.map

package/dist/commands/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAgB1D,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC,aAAa,EAAE,aAAa,CAkGnE,CAAC"}

package/dist/commands/keys.js

@@ -0,0 +1,91 @@
+/**
+ * Keys command — manage signing keys.
+ *
+ * Subcommands:
+ *   list       List all signing keys
+ *   generate   Generate a new ES256 key pair
+ *   rotate     Rotate: generate new + retire current active
+ *
+ * @module commands/keys
+ */
+import { createClient } from '../client-factory.js';
+import { handleError } from '../error-handler.js';
+import { printTable, printJson, success, warn, formatDate, truncate } from '../output.js';
+import { confirm } from '../prompt.js';
+// ---------------------------------------------------------------------------
+// Command
+// ---------------------------------------------------------------------------
+export const keysCommand = {
+    command: 'keys',
+    describe: 'Manage signing keys',
+    builder: (yargs) => yargs
+        // ── list ──────────────────────────────────────────────────────────
+        .command('list', 'List all signing keys', (y) => y, async (argv) => {
+        try {
+            const client = createClient(argv);
+            const keys = await client.keys.list();
+            if (argv.json) {
+                printJson(keys);
+                return;
+            }
+            if (keys.length === 0) {
+                warn('No signing keys found');
+                return;
+            }
+            printTable(['ID', 'KID', 'Algorithm', 'Status', 'Created', 'Rotated'], keys.map((k) => [
+                truncate(k.id, 12),
+                k.kid,
+                k.algorithm,
+                k.isActive ? 'active' : 'retired',
+                formatDate(k.createdAt),
+                formatDate(k.rotatedAt),
+            ]));
+            success(`${keys.length} signing key(s)`);
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    })
+        // ── generate ──────────────────────────────────────────────────────
+        .command('generate', 'Generate a new ES256 key pair', (y) => y, async (argv) => {
+        try {
+            const client = createClient(argv);
+            const key = await client.keys.generate();
+            if (argv.json) {
+                printJson(key);
+                return;
+            }
+            success(`Generated signing key: ${key.kid} (${truncate(key.id, 12)})`);
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    })
+        // ── rotate ────────────────────────────────────────────────────────
+        .command('rotate', 'Rotate signing keys (generate new + retire current active)', (y) => y, async (argv) => {
+        try {
+            if (!argv.force) {
+                const ok = await confirm('Rotate signing keys? This will retire the current active key.');
+                if (!ok) {
+                    warn('Aborted');
+                    return;
+                }
+            }
+            const client = createClient(argv);
+            const key = await client.keys.rotate();
+            if (argv.json) {
+                printJson(key);
+                return;
+            }
+            success(`Rotated signing keys. New active key: ${key.kid}`);
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    })
+        .demandCommand(1, 'Please specify a keys subcommand: list, generate, rotate'),
+    handler: () => {
+        // No-op — subcommands handle execution
+    },
+};
+//# sourceMappingURL=keys.js.map

package/dist/commands/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAQvC,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,CAAC,MAAM,WAAW,GAAgD;IACtE,OAAO,EAAE,MAAM;IACf,QAAQ,EAAE,qBAAqB;IAC/B,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,KAAK;QACH,qEAAqE;SACpE,OAAO,CACN,MAAM,EACN,uBAAuB,EACvB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAEtC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,CAAC,IAAI,CAAC,CAAC;gBAChB,OAAO;YACT,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtB,IAAI,CAAC,uBAAuB,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,UAAU,CACR,CAAC,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,EAC1D,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;gBACd,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC;gBAClB,CAAC,CAAC,GAAG;gBACL,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBACjC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;gBACvB,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;aACxB,CAAC,CACH,CAAC;YACF,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,iBAAiB,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CACF;QAED,qEAAqE;SACpE,OAAO,CACN,UAAU,EACV,+BAA+B,EAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YAEzC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,CAAC,GAAG,CAAC,CAAC;gBACf,OAAO;YACT,CAAC;YAED,OAAO,CAAC,0BAA0B,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC;QACzE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CACF;QAED,qEAAqE;SACpE,OAAO,CACN,QAAQ,EACR,4DAA4D,EAC5D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,+DAA+D,CAAC,CAAC;gBAC1F,IAAI,CAAC,EAAE,EAAE,CAAC;oBACR,IAAI,CAAC,SAAS,CAAC,CAAC;oBAChB,OAAO;gBACT,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAEvC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,SAAS,CAAC,GAAG,CAAC,CAAC;gBACf,OAAO;YACT,CAAC;YAED,OAAO,CAAC,yCAAyC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CACF;SACA,aAAa,CAAC,CAAC,EAAE,0DAA0D,CAAC;IACjF,OAAO,EAAE,GAAG,EAAE;QACZ,uCAAuC;IACzC,CAAC;CACF,CAAC"}

package/dist/commands/login.d.ts

@@ -0,0 +1,36 @@
+/**
+ * CLI login command — authenticate with a Porta server.
+ *
+ * Implements the OIDC Authorization Code + PKCE flow for CLI authentication.
+ * This is the same pattern used by `az login`, `gh auth login`, and similar
+ * CLI tools that authenticate via browser-based flows.
+ *
+ * Usage:
+ *   porta login                              # Login to default server
+ *   porta login --server https://example.com # Login to remote server
+ *   porta login --no-browser                 # Manual mode: print URL, paste callback
+ *   porta login --client-id <id>             # Override auto-discovered client ID
+ *
+ * Docker / headless environments:
+ *   When running inside a Docker container (auto-detected via /.dockerenv),
+ *   the command automatically uses manual mode (--no-browser).
+ *
+ * @module commands/login
+ */
+import type { CommandModule } from 'yargs';
+import type { GlobalOptions } from '../global-options.js';
+/** Options specific to the login command */
+interface LoginOptions extends GlobalOptions {
+    server: string;
+    'client-id'?: string;
+    'no-browser': boolean;
+}
+/**
+ * The login command module — authenticates the CLI with a Porta server.
+ *
+ * Uses OIDC Authorization Code + PKCE flow. Opens a browser for
+ * interactive authentication, then stores the tokens locally.
+ */
+export declare const loginCommand: CommandModule<GlobalOptions, LoginOptions>;
+export {};
+//# sourceMappingURL=login.d.ts.map

package/dist/commands/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAiB1D,4CAA4C;AAC5C,UAAU,YAAa,SAAQ,aAAa;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;CACvB;AAMD;;;;;GAKG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,CAAC,aAAa,EAAE,YAAY,CA+CnE,CAAC"}

package/dist/commands/login.js

@@ -0,0 +1,78 @@
+/**
+ * CLI login command — authenticate with a Porta server.
+ *
+ * Implements the OIDC Authorization Code + PKCE flow for CLI authentication.
+ * This is the same pattern used by `az login`, `gh auth login`, and similar
+ * CLI tools that authenticate via browser-based flows.
+ *
+ * Usage:
+ *   porta login                              # Login to default server
+ *   porta login --server https://example.com # Login to remote server
+ *   porta login --no-browser                 # Manual mode: print URL, paste callback
+ *   porta login --client-id <id>             # Override auto-discovered client ID
+ *
+ * Docker / headless environments:
+ *   When running inside a Docker container (auto-detected via /.dockerenv),
+ *   the command automatically uses manual mode (--no-browser).
+ *
+ * @module commands/login
+ */
+import { executeBrowserFlow } from '../auth/browser-flow.js';
+import { saveCredentials } from '../credential-store.js';
+import { success } from '../output.js';
+import { handleError } from '../error-handler.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Default Porta server URL for local development */
+const DEFAULT_SERVER = 'https://porta.local:3443';
+// ---------------------------------------------------------------------------
+// Command Definition
+// ---------------------------------------------------------------------------
+/**
+ * The login command module — authenticates the CLI with a Porta server.
+ *
+ * Uses OIDC Authorization Code + PKCE flow. Opens a browser for
+ * interactive authentication, then stores the tokens locally.
+ */
+export const loginCommand = {
+    command: 'login',
+    describe: 'Authenticate with a Porta server',
+    builder: (yargs) => yargs
+        .option('server', {
+        type: 'string',
+        describe: 'Porta server URL',
+        default: DEFAULT_SERVER,
+    })
+        .option('client-id', {
+        type: 'string',
+        describe: 'Override admin client ID (normally auto-discovered from server)',
+    })
+        .option('no-browser', {
+        type: 'boolean',
+        describe: 'Print login URL instead of opening browser',
+        default: false,
+    }),
+    handler: async (argv) => {
+        try {
+            // Handle --insecure flag before any HTTP calls
+            if (argv.insecure) {
+                process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+            }
+            // Execute the OIDC browser flow
+            const result = await executeBrowserFlow({
+                server: argv.server,
+                clientId: argv['client-id'],
+                noBrowser: argv['no-browser'],
+            });
+            // Store credentials to disk
+            saveCredentials(result);
+            success(`Logged in as ${result.userInfo.email || result.userInfo.sub}`);
+            process.exit(0);
+        }
+        catch (err) {
+            handleError(err, argv.verbose);
+        }
+    },
+};
+//# sourceMappingURL=login.js.map

package/dist/commands/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/commands/login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,qDAAqD;AACrD,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAalD,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAA+C;IACtE,OAAO,EAAE,OAAO;IAChB,QAAQ,EAAE,kCAAkC;IAE5C,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,KAAK;SACF,MAAM,CAAC,QAAQ,EAAE;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,cAAc;KACxB,CAAC;SACD,MAAM,CAAC,WAAW,EAAE;QACnB,IAAI,EAAE,QAAQ;QACd,QAAQ,EACN,iEAAiE;KACpE,CAAC;SACD,MAAM,CAAC,YAAY,EAAE;QACpB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,4CAA4C;QACtD,OAAO,EAAE,KAAK;KACf,CAAC;IAEN,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtB,IAAI,CAAC;YACH,+CAA+C;YAC/C,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,GAAG,CAAC;YACjD,CAAC;YAED,gCAAgC;YAChC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;gBACtC,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC;gBAC3B,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC;aAC9B,CAAC,CAAC;YAEH,4BAA4B;YAC5B,eAAe,CAAC,MAAM,CAAC,CAAC;YAExB,OAAO,CACL,gBAAgB,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAC/D,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/commands/logout.d.ts

@@ -0,0 +1,25 @@
+/**
+ * CLI logout command — clear stored authentication tokens.
+ *
+ * Removes the ~/.porta/credentials.json file, effectively logging out
+ * the CLI user. Does NOT revoke tokens on the server — the access token
+ * will expire naturally based on its TTL.
+ *
+ * This is a local-only operation that does not require a network connection
+ * or a running Porta server.
+ *
+ * Usage:
+ *   porta logout
+ *
+ * @module commands/logout
+ */
+import type { CommandModule } from 'yargs';
+import type { GlobalOptions } from '../global-options.js';
+/**
+ * The logout command module — clears stored CLI authentication tokens.
+ *
+ * Reads existing credentials to show who was logged in, then deletes
+ * the credentials file. Safe to run even when not logged in.
+ */
+export declare const logoutCommand: CommandModule<GlobalOptions, GlobalOptions>;
+//# sourceMappingURL=logout.d.ts.map